ISPs should be able to choose how they protect customer data, they tell FCC.

Broadband industry lobby groups urged the Federal Communications Commission on Thursday not to impose privacy rules that dictate "specific methods" of protecting customer data, since that would prevent "rapid innovation."

ISPs should have "flexibility" in how they protect customers' privacy and security, said the letter from the American Cable Association, Competitive Carriers Association, Consumer Technology Association, CTIA, the Internet Commerce Coalition, the National Cable & Telecommunications Association, and USTelecom. Together, these groups represent the biggest home Internet service providers and wireless carriers such as Comcast, AT&T, Verizon, Time Warner Cable, Charter, Sprint, T-Mobile, and many smaller ones.

Further Reading

"Rules dictating specific methods quickly become out of date and out of step with constantly changing technology, and will only hamper innovation and harm consumers," they wrote.

The debate stems from the FCC's decision to reclassify fixed and mobile broadband providers as common carriers under Title II of the Communications Act. The FCC has said it intends to enforce Section 222 of Title II, which requires telecommunications carriers to protect the confidentiality of customers' proprietary information. But since the commission's existing privacy rules apply to telephone service rather than broadband, the FCC has to draw up new rules for Internet service. The phone rules protect personal information such as the numbers customers call and when they call them.

Under Section 222, the FCC could impose some version of its Customer Proprietary Network Information (CPNI) rules on broadband providers. The ISPs' letter tried to discourage the FCC from doing so, noting that the commission's Title II decision is still undergoing judicial review. Broadband industry groups complained about potential new privacy rules in their lawsuit against the FCC's Title II reclassification, saying that CPNI rules could force them to create processes to ensure that customer data is not used in marketing without customer approval.

Further Reading

Although ISPs and wireless carriers already have to follow CPNI rules when they sell telephone service, they want more flexibility in broadband.

The lobby groups used some form of the word "innovate" 10 times in yesterday's letter. Specific privacy rules, they said, could "create consumer confusion and stifle innovation." Stronger privacy rules could also make it hard for ISPs to "innovate and compete" or to develop "innovative new business models" and "innovative products and services."

If the FCC does adopt Section 222 rules, it should make them similar to the Federal Trade Commission's privacy regulations, which "combine strong protections for consumers with flexibility that allows for rapid innovation," the letter said.

"Under the FTC regime, all companies in the Internet ecosystem must ensure that their privacy and data security practices are neither deceptive nor unfair," the lobby groups wrote. "As a result, consumers are protected and all companies that collect consumer data should be able to innovate and adapt to the inevitable changes in technology and the market for online services."

ISPs also have incentives to protect customer data because otherwise they might not "earn and maintain their customers' loyalty," the groups said.

ISPs are fighting against an effort led by consumer advocacy groups such as the American Civil Liberties Union, the Electronic Frontier Foundation, Free Press, and Public Knowledge. Those groups, plus a few dozen more, last month urged the FCC to make its privacy rules stronger than the FTC's.

Even FTC Commissioner Julie Brill has said she welcomes the FCC becoming a "brawnier cop on the privacy beat," the consumer advocacy groups noted in their letter.

The FCC's rules should "protect consumers from having their personal data collected and shared by their broadband provider without affirmative consent, or for purposes other than providing broadband Internet access service," the groups said. "The proposed rules should also provide for notice of data breaches, and hold broadband providers accountable for any failure to take suitable precautions to protect personal data collected from users. In addition, the rules should require broadband providers to clearly disclose their data collection practices to subscribers, and allow subscribers to ascertain to whom their data is disclosed."

To be honest, they're not *wrong* taken by their words alone. It may be in the future, that there are industry best practices which are better than we have today, and that they might not be able to adapt if there are rulings dictating exactly what they need to do.

HOWEVER, without enforcement teeth, this is basically carte blanche to be able to be lazy, and not face consequences. How about this: let them innovate, but get congress to pass legislation with statutory liabilities (i.e. non-negotiable liabilities) for each unit of customer data that is exfiltrated out of the company's possession. Say $25 for names, addresses, and phone numbers, $50 for each customer day's browsing history, $100 for billing information, $300 for every credit card number, and $1000 for every SSN lost.

Take a company like Comcast with approximately 22 Million subscribers. If I were them, the prospect of being liable for $22 billion for the loss of SSNs alone would make me SEEEERIOUSLY consider how I handle this information.

I love this new "excuse de jour" of theirs - everything the FCC does will apparently harm all of this mythical "innovation" they've been working on.

The only "innovation" this would harm, is the financial "innovation" when they discovered companies would pad their bottom line in return for our data and new ways for them to extort greater sums of money from said data.

Hey, ISPs? It's my data, and what I want you to do with it is not subject to technological "innovation". It's subject to how comfortable I am with giving it to you.

Right now, based on this story, I feel like you should have the absolute bare minimum you need to give me the services I sign up for. No, that does not include my SSN for anything. Or my FB feed. Or anything else you may think you want, but don't need to get in contact with me or receive payment from me.

Back to the ISP versus Content Provider debate. I cannot imagine much innovation in the ISP space, I just want a pipe to my house, that's it. There's not much innovation I'm bothered about except make it bigger...

The innovation they refer to no doubt is around content and likely adverts and offers based on other content I've chosen to view; this should have nothing to do with my ISP. As soon as this happens I'm no longer a customer but a product. My ISP provider can innovate with my information as long as they are completely separate from my content provider and I am not a product or target - split them up FCC! Vertical integration is bad for the consumer here.

The scare quotes in the title of the "article" are not consistent with professional "journalism".

If the ISPs' case is really that weak, then there's no need to editorialize via the headline, just report what they're claiming and let your readers decide what to think about it.

Thanks. I "look forward" to taking your advice under "consideration."

Okay, that made me laugh.

But you've kind of made my point with that response. Unnecessary quote marks make the writer sound like a sarcastic douche with an axe to grind.

I don't trust my cable company any more than other Ars readers, but after reading the actual letter, I think both the headline and the article misrepresent what the ISPs are actually claiming. I don't believe them, but I also think they have the right to state their case without having their words twisted and quoted out of context.

Yeah, it's a judgment call and I don't use scare quotes a lot, I don't think. I get your reasoning, but in this case I felt like the lobby groups were making a pretty strong argument sound deceptively subtle. I really had to read the letter three or four times in order to figure out what they were trying to say.

The scare quotes in the title of the "article" are not consistent with professional "journalism".

If the ISPs' case is really that weak, then there's no need to editorialize via the headline, just report what they're claiming and let your readers decide what to think about it.

Thanks. I "look forward" to taking your advice under "consideration."

Okay, that made me laugh.

But you've kind of made my point with that response. Unnecessary quote marks make the writer sound like a sarcastic douche with an axe to grind.

I don't trust my cable company any more than other Ars readers, but after reading the actual letter, I think both the headline and the article misrepresent what the ISPs are actually claiming. I don't believe them, but I also think they have the right to state their case without having their words twisted and quoted out of context.

So you believe they're lying, but you don't think it's fair for the person writing the article about this (likely but alleged) like to call them out for lying?

To put it another way, if there were no quotes around the word flexible, then we're accepting the argument as the ISPs frame it. One alternative would have been to substitute in, for example, "self regulated" which is accurate but then would draw criticism for not being what they said.

Can someone please clarify which consumer data is in question here? I can only assume that the ISPs are doing packet inspection already and this is part of that. This is a good argument for VPNs.

Can someone please point us to a good comparison of VPN services? Thank you.

Pretty sad when we don't need VPNs for drug dealing or some other questionable activity like viewing region-restricted programming, but rather for preventing corporations we pay from stealing our privacy. Hey, PayPal, are you listening? We don't all use VPNs to violate copyright!

This is very important, and I want to make sure there is NO misunderstanding.

ISPS: Go. Fuck. Yourselves.

This is unclear to me.

Are you suggesting that non-real corporate identities engage in masturbation? How would that even work? Would the Comcast logo attempt to insert its T into the leading C in repetitive motions?

Or are you saying that all of the ISPs should engage in fucking? In this case, would AT&T be inserting a T into the Comcast logo?

Or maybe you weren't referring to the corporations themselves, but the actual providing of internet service? In this case, I can only suspect that cables are already being plugged into holes, and I would estimate that the response here would be: "way ahead of you." (Note: certain companies that do not see it in their best interest to correctly insert these cables into recepticle hardware because they perceive more money opportunities are excluded from the proposed response.) And if this is the case, this would make for an extremely strange technofetish. Also if technofetish isn't a word, I coin, copyright and trademark it.

Or maybe I've got this all wrong and you're suggesting some sort of massive orgy between ISP employees. In which case, I'd almost hazard a guess that this has happened, at least once, in some awkward, baudy, management celebrations. So I can only assume you are requesting that this private data be made public for embarrassment purposes, and to prove a point.

Or, of course, you could be suggesting that these ISP employees engage in self masturbation. And that's just bland. Especially since they likely enjoy it from time to time.

The scare quotes in the title of the "article" are not consistent with professional "journalism".

If the ISPs' case is really that weak, then there's no need to editorialize via the headline, just report what they're claiming and let your readers decide what to think about it.

Seems like you did decide, didn't you?

Also, since those words are clearly complete BS, doesn't it behoove the author to not simply unleash them on the readership?

Depends on what you think the author's job is. I think the point of an article like this is to report what the ISPs are claiming, and then provide context by pointing out that they have a huge and ongoing conflict of interest when it comes to regulation.

I think that any time a cable company talks about innovation, it's already cringe-inducing enough on its own that I don't need it highlighted for me.

Are the cable companies' mind control powers really so strong that to merely repeat their words without warning is to unleash some sinister force? Are we really that weak minded?

ISPs may not use or share their customer's private data in any way, shape or form without prior written consent from the customer.

Allow me to offer your local ISP monopoly's response:

Dear customers,

To provide you with the amazing service you enjoy we partner with other respected institutions. As part of this partnership we share certain information about our userbase. This is a common industry practice that forms the basis of the modern internet.

The FCC's burdensome new regulations have forced us to raise all rates by $300 per month. Thankfully through our partnerships we will be able to offer a $300 per month discount to those willing to continue to participate in this information sharing.

A consent form is attached. Please sign and return it for your $300 per month discount.

Sincerely,-Your ISP

As long as ISP's remain monopolies with uncapped rates they can respond to any attempt to assert end-user rights with "sign them away or pay enough to setup your own microwave link."

Internet services is a utility, something as essential to modern life as universal access to electricity. But we continue to regulate it as a luxury, subject to the whims of whichever corporations' fiefdom you happen to live in.

I lean quite libertarian but even I understand this situation is untenable. You cannot have a free market when a monopoly controls access to that market nor can you have liberty when your principle means of communication can be arbitrarily manipulated, limited, and your actions through it documented and sold.

ISP's must be reduced to "dumb pipes" and then either opened to resellers or aggressively price regulated.

Just because a company built electrical lines to houses does not mean they can control how people use that electricity nor can they collect identifying information on individual usage and sell it. Why should Internet service be any different?